Skip to content
Research
2026-02-22

Investigating 'living off the pipe' in CI systems

A field note on a technique we're seeing more often: adversaries using build systems as a long-term C2.

M
M. Okonkwo 9 min read

Over the last two quarters we've been tracking a pattern we've started calling 'living off the pipe': adversary use of CI/CD runners as a long-term, low-friction command-and-control channel.

The pattern

The mechanics are straightforward: compromise a developer identity, push a build-graph change that introduces a benign-looking dependency, and let the runner execute arbitrary code with full repo and cloud credentials.

Why this is hard to see

Build systems are noisy. Network egress from runners is normal. Credentials are supposed to be ephemeral. Detections calibrated for endpoints miss all of it.

What we're doing about it

Vector ships a pipe-specific detection pack this quarter. It looks at build-graph deltas, runner-identity drift, and egress patterns in concert.

Keep reading

Related field notes

All posts
Product 2026-04-02

Atlas 4.1: graph-native threat intelligence

Fan-out investigation paths, provenance receipts, and a reworked enrichment engine that completes in under a minute.
Field notes 2026-03-14

Why we started with 'signal over noise'

A short note on the three opinions the product holds, and why they're not negotiable.
Engineering 2026-01-30

Writing detections that explain themselves

An engineering note on the 'hypothesis-first' rule we use for every detection that ships in Vector.